V13.2 requirements

[elarlang]

✔ Point 1

13.2.2 Verify that if a credential has to be used for service authentication, the credential being used by the consumer is not a default credential (e.g., root/root or admin/admin are default in some services during installation).

Proposal:

13.2.2 Verify that if a credential has to be used for service authentication, the credential being used by the consumer is not a default credential (e.g., root/root or admin/admin).

---

✔ Point 2

13.2.3 Verify that, if the application allows changing configurations around passwords or connection parameters for integrations with external databases and services, they are protected by extra controls such as authenticating again with at least one factor or multi-user approval.

Proposal:

• passwords > credentials
• remove "external"

13.2.3 Verify that, if the application allows changing configurations around credentials or connection parameters for integrations with databases and services, they are protected by extra controls such as authenticating again with at least one factor or multi-user approval.

---

Point 3

13.2.4 Verify that the web or application server is configured with an allowlist of resources or systems to which the server can send requests or load data or files from.

I think we need to re-word it. Most likely this requirement is satisified by some WAF rules. We should not require it to be done by configuration in web or application server.

---

✔ Point 4

Move 13.2.1 and 13.2.5 next to each other

• 13.2.1 Verify that communications between backend application components that don't support the application's standard user session mechanism, including APIs, middleware, and data layers, are authenticated. Authentication must use individual service accounts, short-term tokens, or certificate-based authentication and not unchanging credentials such as passwords, API keys, or shared accounts with privileged access.
• 13.2.5 Verify that communications between backend application components, including local or operating system services, APIs, middleware, and data layers, are performed with accounts assigned the least necessary privileges.

[jmanico]

For 13.2.4 This is sometimes just a WAF, sometimes it's firewall policy, sometimes is code level allow lists. Can we consider all of these?

Otherwise +1 to these changes

[randomstuff]

13.2.4 Verify that the web or application server is configured with an allowlist of resources or systems to which the server can send requests or load data or files from.

I think we need to re-word it. Most likely this requirement is satisified by some WAF rules.

Don't WAFs typically only handle the incoming flows (where the application is acting as a server)? I understood this requirement to be about outgoing flows (where the application is acting as a client).

We should not require it to be done by configuration in web or application server.

I agree that this is typically done by some firewall rules but I would interpret a firewall to be an implementation option for "application server is configured with an allowlist", though.

[elarlang]

The point is, we should not limit and dictate the technical solution how to achieve this, we just need to require what must be achieved. At the moment I feel that this requirement may be interpreted literally and then rules in WAF are not accepted by some tester or implementer.

[jmanico]

The point is, we should not limit and dictate the technical solution how to achieve this, we just need to require what must be achieved. At the moment I feel that this requirement may be interpreted literally and then rules in WAF are not accepted by some tester or implementer.

I think this is definitely the way to go. There are so many different ways to solve this. Once again I think this is an astute observation, @elarlang and I'm extremely impressed with the level of detail in which you are reviewing the entire standard the past few days.

[elarlang]

Update - points 1, 2 and 4 are addressed.

13.2.4 now (after PR merge) has number 13.2.5

13.2.5 Verify that the web or application server is configured with an allowlist of resources or systems to which the server can send requests or load data or files from.

Goal to achieve: an allowlist of resources or systems to which the application can send requests or load data or files from

Proposal:

Verify that for the application is applyed an allowlist of resources and systems to which it can send requests, or load data or files from. It may be achieved by the application code, web server, or firewall, or by any combination of them.

[elarlang]

Offtopic:

@elarlang and I'm extremely impressed with the level of detail in which you are reviewing the entire standard the past few days.

It is actually close to 2 weeks of intense review now, as you can see, here I have already reached V13 and now all V17 have received the first feedback.

The level of detail has always been involved and taken into account, keeping in mind the big picture and alignment that everything fits together. This is something to keep in mind when you jump into opposition mode - first figure out why something is done as it is done.

[jmanico]

Offtopic:

@elarlang and I'm extremely impressed with the level of detail in which you are reviewing the entire standard the past few days.

It is actually close to 2 weeks of intense review now, as you can see, here I have already reached V13 and now all V17 have received the first feedback.

The level of detail has always been involved and taken into account, keeping in mind the big picture and alignment that everything fits together. This is something to keep in mind when you jump into opposition mode - first figure out why something is done as it is done.

Acknowledged — two weeks of deep review is even more impressive, and I genuinely meant the compliment. It’s very disappointing to see a sincere acknowledgment turned into a veiled critique. I’d prefer we engage with mutual respect, even when we disagree. Assuming opposition instead of an positive intention to help undermines the collaborative spirit of OWASP that we both value.